Firefox 143 (Fedora distribution) throws SEC_ERROR_UNKNOWN_ISSUER error on many websites
When trying to access many popular websites with Firefox on my Fedora 43 installation, I am greeted with a security warning page with the SEC_ERROR_UNKNOWN_ISSUER error. For most of these websites I can simply accept and continue, but HSTS-only sites will not permit this.
Affected websites include but are not limited to (based on exceptions in the certificates section of Firefox settings):
- github.io (many subdomains)
- purdue.edu (many subdomains)
- iu.edu
- ebay.com
- cbsnews.com
- iwm.org.uk
- home.cern
- celestrak.org
Any help in resolving this is appreciated.
Wubrane rozwězanje
After a while of twiddling my thumbs I decided to go to "USERTrust RSA Certification Authority" in the Certificate Authority list previously mentioned and mark it as able to identify websites. A little bit of initial testing suggests that has fully fixed the issue. I am not sure how else I could resolve it (probably a question for the Fedora community given that only the included system install has the issue and Nightly/etc works fine), though I realize that simply forcing trust for a CA may not be the brightest idea.
Toś to wótegrono w konteksće cytaś 👍 0Wšykne wótegrona (5)
If you use the View Certificate link (sometimes, this requires clicking the Advanced button), is there any pattern to the issuer, such as a proxy server or security software vendor?
They all seem to be issued by dedicated certificate companies, though almost all use Sectigo certificates (the .edu ones use InCommon).
Usually the View Certificate page has multiple tabs. You could start with the right-most tab and see whether that ultimate signing certificate is listed as trusted here as a Builtin Object Token:
Settings page > type cert in the tiny search box to filter the page > View Certificates button > Authorities tab
Or if Firefox is set to use the system certificate store (checkbox for "Allow Firefox to automatically trust third-party root certificates you install") perhaps you need to check somewhere else on the system (I'm not familiar with how Linux handles it).
They all share the "USERTrust RSA Certification Authority" as the highest level cert which (along with its issuer) *is* labelled as "Default Trust". If I click "Edit Trust", there are checkboxes for identifying websites and mail users, both of which are unchecked for *all* authorities that I checked. I believe the system install of Firefox that comes with Linux distributions is already set to use the system certificate store based on prior searching, and there are no settings corresponding to root certificates other than the usual certificate list.
To try and eliminate all possible variables, I downloaded and ran the current Firefox Nightly (144.0b9) and visited these sites with no issue. It seems there is something about the pre-loaded system install of Firefox Stable that is causing these certificate issues, but I am not sure what it could be.
Wubrane rozwězanje
After a while of twiddling my thumbs I decided to go to "USERTrust RSA Certification Authority" in the Certificate Authority list previously mentioned and mark it as able to identify websites. A little bit of initial testing suggests that has fully fixed the issue. I am not sure how else I could resolve it (probably a question for the Fedora community given that only the included system install has the issue and Nightly/etc works fine), though I realize that simply forcing trust for a CA may not be the brightest idea.
Musyśo se pla swójogo konta pśizjawiś, aby na pśinoski wótegronił. Pšosym stajśo pšašanje, jolic hyšći njamaśo wužywaŕske konto.